[Openid-specs-fapi] Issue #293: PKCE & Nonce Security Considerations (openid/fapi)

dgtonge issues-reply at bitbucket.org
Wed May 20 14:49:03 UTC 2020

New issue 293: PKCE & Nonce Security Considerations

Dave Tonge:

@{5b73d0fb816d1805baacb64f} has posted a very useful analysis of nonce and PKCE:


We should consider whether to add additional security considerations around this in FAPI and if so, whether they need to be in part 1 or part 2.

There was discussion on the call today of potentially requiring servers to reject token requests with a code\_verifier where none was expected.

There was also discussion about whether in Part 2 we are protected against such attacks due to the integrity protection from JARM or ID Tokens.

We agreed to open this issue for further discussion.

More information about the Openid-specs-fapi mailing list